Date: Wed, 07 Jun 2006 21:43:16 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Maxim Konovalov <maxim@macomnet.ru> Cc: current@freebsd.org Subject: Re: named recursive queries Message-ID: <4487AAE4.6020209@FreeBSD.org> In-Reply-To: <20060608015022.Y52876@mp2.macomnet.net> References: <20060608015022.Y52876@mp2.macomnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Konovalov wrote:
> [ Bikeshed zone ]
>
> I think we need to stop spread misconfigured named's too. Any
> objections?
Yes. :) The default named.conf already has the following:
listen-on { 127.0.0.1; };
Which is a more effective solution to the problem. (Although you're not the
first person to suggest this, so don't feel bad.) :)
That said, BIND 9.4 is going to have a default for allow-recursion of
"localhost; localnets;" which might be a good thing for us to make explicit
now, so our users have a chance to get used to the idea. Comments?
Doug
> Index: named.conf
> ===================================================================
> RCS file: /home/ncvs/src/etc/namedb/named.conf,v
> retrieving revision 1.22
> diff -u -p -r1.22 named.conf
> --- named.conf 5 Sep 2005 13:42:22 -0000 1.22
> +++ named.conf 7 Jun 2006 21:56:26 -0000
> @@ -30,6 +30,13 @@ options {
> //
> // forward only;
>
> +// Prevent external networks from using us to query domains we are not
> +// authoritative for.
> +//
> + allow-recursion {
> + localhost;
> + };
> +
> // If you've got a DNS server around at your upstream provider, enter
> // its IP address here, and enable the line below. This will make you
> // benefit from its cache, thus reduce overall DNS traffic in the Internet.
>
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4487AAE4.6020209>